Openshift container with wrong openshift.io/scc

Question

Having unexplained behavior in openshift 4.4.17 cluster: oauth-openshift Deployment (in openshift-authentication namespace) has replicas=2, the first pod is Running with:

openshift.io/scc: anyuid

the second pod goes in CrashLoopBackOff state, and scc assigned to it is the one below:

openshift.io/scc: nginx-ingress-scc (that is a customized scc for nginx purposes)

By documentation:

By default, the pods inside openshift-authentication and openshift-authentication-operator namespace runs with anyuid SCC.

I suppose something has been changed in the cluster but i cannot figure out where the mistake is.

Oauth-penshift Deployment is in its default configuration:

serviceAccountName: oauth-openshift
namespace: openshift-authentication

$ oc get scc anyuid -o yaml
users:
system:serviceaccount:default:oauth-openshift
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-authentication:default

$ oc get pod -n openshift-authentication
NAME                               READY   STATUS             RESTARTS   AGE
oauth-openshift-59f498986d-lmxdv   0/1     CrashLoopBackOff   158        13h
oauth-openshift-d4968bd74-ll7mn    1/1     Running            0          23d

$ oc logs oauth-openshift-59f498986d-lmxdv -n openshift-authentication
Copying system trust bundle
cp: cannot remove '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem': Permission denied

$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep   serviceAccount
serviceAccount: oauth-openshift
serviceAccountName: oauth-openshift

$ oc get pod oauth-openshift-59f498986d-lmxdv -n openshift-authentication -o=yaml|grep scc
openshift.io/scc: nginx-ingress-scc

Auth Operator:

$ oc get pod -n openshift-authentication-operator
NAME                                       READY   STATUS    RESTARTS   AGE
authentication-operator-5498b9ddcb-rs9v8   1/1     Running   0          33d

$ oc get pod authentication-operator-5498b9ddcb-rs9v8 -n openshift-authentication-operator -o=yaml|grep scc
openshift.io/scc: anyuid

The managementState is set to Managed

Answer 1

First of all, you should check if your SCC priority is customized or not. For example, anyuid scc priority is 10 and it's the highest by default. But if other SCC(in this case, nginx-ingress-scc) is configured more than 10 priority, then the SCC is selected by the oauth pod unexpectedly. It may causes this issue.

Answer 2

The problem was the customized scc (nginx-ingress-scc) had priority higher than 10, that is the anyuid's priority. Now solved.